System and architecture for electronic fraud detection

ABSTRACT

Embodiments of an electronic fraud analysis platform system are disclosed which may be used to analyze tax returns for potential fraud. Analysis of tax return data using the tax return analysis platform computing systems and methods discussed herein may provide insight into whether a tax return may be fraudulent based on, for example, an initial screening component configured to filter tax returns which appear fraudulent due to missing or inaccurate information provided with the return; a device activity analysis component configured to identify whether a device used to submit a tax return or to provide further authentication information needed to complete processing of the return may have been used in other fraudulent activities; and a knowledge-based authentication component configured to identify potential fraudsters using dynamically generated questions for which fraudsters typically do not know the answers.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 14/928,770 filed Oct. 30, 2015, entitled SYSTEM AND ARCHITECTURE FOR ELECTRONIC FRAUD DETECTION, which claims the benefit of priority from U.S. Provisional Patent Application No. 62/073,714 filed on Oct. 31, 2014, entitled SYSTEM AND ARCHITECTURE FOR ELECTRONIC FRAUD DETECTION. All above-cited applications are hereby incorporated herein by reference in their entirety.

BACKGROUND

Billions of dollars of fraudulent tax refunds are paid out every tax year. This not only puts a strain on government's ability to provide services, but it also erodes public trust in our country's tax system. With the increased reliance on electronic filing of tax returns comes an increase of the efficiency of tax operations and overall convenience. However, this has also contributed to a rise in identity theft and unwarranted or fraudulent tax refunds. Stealing identities and filing for tax refunds has become one of the fastest growing non-violent criminal activities in the country, often resulting in significant returns for the fraudster.

SUMMARY OF CERTAIN EMBODIMENTS

In one embodiment, an electronic fraud detection system is disclosed. The system may comprise: an electronic data interface module configured to electronically communicate with a first electronic data store configured to at least store tax return filing data associated with a plurality of consumers and at least one tax agency, wherein access to the first electronic data store is provided by a tax agency computing system, a second electronic data store configured to at least store consumer data associated with the plurality of consumers, and a third electronic data store configured to at least store consumer device activity data associated with a plurality of consumer devices associated with the plurality of consumers; an initial screening module configured to apply filters to tax return filing data, including at least one or more consumer attributes associated with each respective consumer and received from the electronic data interface module, to generate a set of electronic tax fraud indications that represent whether consumers records within the tax return filing data are likely fraudulent due to missing or inaccurate information; a knowledge-based authentication module configured to dynamically generate authentication questions associated with a consumer associated with one of the consumer records identified as likely fraudulent, the generated questions based on consumer credit data corresponding to the consumer that is received from the electronic data interface module, for which the answers are confidential and based on credit data, to provide the authentication questions, receive authentication response information corresponding to the authentication questions, and generate an electronic authentication indication representing an accuracy level of the authentication response information; a device authentication module configured to dynamically analyze whether a computing device used to provide the authentication response information may have been used in fraudulent activities or is related to other devices that have been used in fraudulent activities using a unique device identifier associated with the computing device, the unique device identifier generated using information collected from the computing device, and further configured to generate an electronic device indication representing a risk level that the device associated with fraud; and an accuracy reporting module configured to make the electronic authentication indication and the electronic device indication available to the tax agency computing system.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram which illustrates an exemplary data flow between a consumer device, tax agency computing system(s), and a tax return analysis platform system, according to one embodiment.

FIG. 2 schematically illustrates a logical flow diagram for one embodiment of an example process for performing an initial tax fraud screening of one or more tax returns which may be run by one embodiment of the tax return analysis platform computing system of FIG. 6.

FIG. 3 schematically illustrates a logical flow diagram for one embodiment of another example process for performing a device activity analysis and/or a knowledge-based authentication process which may be run by one embodiment of the tax return analysis platform computing system of FIG. 6.

FIG. 4 schematically illustrates a logical flow diagram for one embodiment of a process for performing a device activity analysis which may be run by one embodiment of the tax return analysis platform computing system of FIG. 6.

FIG. 5 schematically illustrates a logical flow diagram for one embodiment of an example knowledge-based authentication process which may be run by one embodiment of the tax return analysis platform computing system of FIG. 6.

FIG. 6 is a block diagram showing one embodiment in which a tax return analysis platform computing system is in communication with a network and various systems, such as websites and/or online services, are also in communication with the network.

DETAILED DESCRIPTION OF VARIOUS EMBODIMENTS

Overview

One principal method of conducting income tax refund fraud is through identity theft, specifically, by filing a tax return deceptively as someone else. According to a 2011 report by the Federal Trade Commission, identity theft has been the number one consumer complaint since 2000. Unfortunately, identities can be stolen from anywhere and resourceful identity thieves use a variety of ways to obtain an individual's personal information. Identity thieves can retrieve personal information by rummaging through the trash of businesses. In some cases identity thieves work for legitimate companies, medical offices, clinics, pharmacies, or government agencies, and take advantage of their roles at these organizations to illicitly obtain or solicit personal information.

Identity thieves have two primary concerns when they are concocting an income tax refund fraud scheme. They need to devise a clever system for moving and using the fraudulently obtained funds, and they need to figure out how to obtain another individual's social security number (“SSN”) and other identifying information, which they will use to circumvent the existing tax return review process. Typically the fraudster will file a false return electronically, early in the tax filing season before the legitimate tax filer has a chance to the file their return. Fraudsters then use the stolen information and provide false information about wages earned, taxes withheld, and other data in order to appear as the legitimate tax payer who is entitled to a tax refund. The fraudster arranges for the proceeds of the refund to be deposited into a bank account or transferred to a debit card, or other similar methods which are virtually untraceable once the payment has been released. According to the IRS's Identity Protection Incident Tracking Statistics Report, incidents of identity theft tied to taxpayers has risen three fold from 2009 to 2011 growing from 456,453 incidents in 2009 to 1,125,634 in 2011.

Unfortunately, many individuals who are victims of identity theft may be unaware that their identity has been stolen to file fraudulent tax returns. It is not until the legitimate individual files a tax return resulting in a duplicate filing under the same name and SSN that many individuals realize they are a victim of identity theft. Everyone with a social security number is potentially vulnerable to having their identity stolen.

Anyone who has access to a computer can fill out an income tax form online and hit submit. Income tax returns are processed within days or weeks, and the proceeds are then deposited into accounts or provided on debit cards. Once released, these monies are virtually untraceable, and thus an improved method to detect fraudulent tax returns prior to releasing tax refund monies is needed. According to the Tax Inspector General for Tax Administration (“TIGTA”), the number of identified fraudulent tax returns has increased by 40% from 2011 to 2012 which equates to an increase in over $4B dollars. While the number of fraudulent tax returns can be identified, the full scope of the fraud remains unknown. Additionally in 2012, TIGTA reported that, using characteristics of identity theft confirmed by the IRS, it had identified approximately 1.5 million undetected tax returns with potentially fraudulent tax refunds totaling in excess of $5.2 billion. This number only takes into consideration income tax fraud on a federal level. TIGTA also found that contributing to the growth in tax fraud is an ongoing challenge in authenticating taxpayers. Even though some revenue agencies have adopted verification techniques such as use of a Personal Identification Number (“PIN”), or providing information from a previous year's return, these controls can be circumvented and have proven inadequate in stopping identity-based income tax fraud.

Income tax refund fraud schemes vary from those committed by individual perpetrators to those that are much more large scale, with multiple players spanning several years with the number of filings rising into the thousands and the losses ranging into the millions of dollars. With the average federal tax refund amounting to roughly $3,000 and state refund averaging around $500, many taxpayers anxiously await the return of their funds and are justifiably upset when their refunds are delayed. In some embodiments the systems used in detecting income tax refund fraud are effective and simultaneously efficient such that they do not delay the release of legitimate refunds. Complicating the issue is that typical “red flags” which might trigger a fraud alert, such as having a refund sent to a new address or an unfamiliar name, happen millions of times each year for honest reasons, such as when a taxpayer gets married (and changes his/her name and/or address) or moves, thus making it even more difficult to identify the fraudulent returns from the legitimate ones.

Embodiments of an electronic fraud analysis platform system are disclosed which may be used to analyze tax returns for potential fraud. Analysis of tax return data using the tax return analysis platform computing systems and methods discussed herein may provide insight into whether a tax return may be fraudulent based on, for example, an initial screening component configured to filter tax returns which appear fraudulent due to missing or inaccurate information provided with the return; a device activity analysis component configured to identify whether a device used to submit a tax return or to provide further authentication information needed to complete processing of the return may have been used in other fraudulent activities; and a knowledge-based authentication component configured to identify potential fraudsters using dynamically generated questions for which fraudsters typically do not know the answers.

The terms “individual,” “consumer,” “customer,” “people,” “persons,” “party,” “entity,” and the like, whether singular or plural, should be interpreted to include either individuals or groups of individuals, such as, for example, married couples or domestic partners, joint tax filers, organizations, groups, business entities, non-profit entities, and other entities.

Embodiments of the disclosure will now be described with reference to the accompanying figures, wherein like numerals refer to like elements throughout. The terminology used in the description presented herein is not intended to be interpreted in any limited or restrictive manner, simply because it is being utilized in conjunction with a detailed description of certain specific embodiments of the disclosure. Furthermore, embodiments of the disclosure may include several novel features, no single one of which is solely responsible for its desirable attributes or which is essential to practicing the embodiments of the disclosure herein described.

For purposes of this disclosure, certain aspects, advantages, and novel features of various embodiments are described herein. It is to be understood that not necessarily all such advantages may be achieved in accordance with any particular embodiment of the invention. Thus, for example, those skilled in the art will recognize that one embodiment may be carried out in a manner that achieves one advantage or group of advantages as taught herein without necessarily achieving other advantages as may be taught or suggested herein.

High Level Data Flow

FIG. 1 is a block diagram which illustrates an exemplary data flow between a consumer computing device (or devices) (for example, a smart phone, a tablet, a car console, or other electronic computing device) 162, a tax agency computing system (or systems) 168, and a tax return analysis platform (“TRAP”) system 100, according to one embodiment. The data flow of FIG. 1 illustrates at a high level how a consumer tax filing may be analyzed by the TRAP system according to associated processes described herein to determine and provide an indication of whether the tax filing may be fraudulent.

The exemplary data flow may begin at (1) when a consumer submits a tax return filing to a tax agency. The tax return may be submitted in any manner by which the tax agency accepts tax return filings, including traditional physical paper filings as well as electronic submissions. Traditional physical paper filings typically are digitally scanned or otherwise input to the tax agency computing system 168 to facilitate faster processing of the tax return.

In some instances, if a tax return is submitted to the tax agency electronically (for example, to the tax agency computing system 168), the tax agency may have the ability to detect or associate a user computing device used by the individual to submit the tax return. For example, in some cases an IP address, a device identifier, or other identifying information associated with the user computing device or the tax return may be automatically detected and gathered by the tax agency computing system, such as by the use of a client-side script downloaded to the user computing device, a cookie, or other methodology. Such device identifying information may be collected at various stages of an electronic tax return filing process, such as when the individual registers with the tax agency computing system 168 via a website provided by the tax agency, or when the individual submits the completed tax return to the tax agency, and so on. If device identifying information is gathered by the tax agency, the device identifying information may be provided to the TRAP system 100 and used or included in the tax refund fraud analysis processes described herein. Embodiments of various device identification systems and methods are disclosed in U.S. Pat. Nos. 7,853,533, 8,862,514, and U.S. Publication No. 2011/0082768, the entire contents of which are all hereby incorporated by reference herein. However, the TRAP system 100 may perform the tax refund fraud analysis processes even if such device identifying information is not provided by the tax agency at the outset.

Although the description with reference to (1) describes submission of a tax return for a single individual, the tax agency naturally receives tax returns numbering in the thousands or even millions depending on the size of the tax base being served. Thus it should be understood that the actions described at (1) may occur for thousands, millions, or any number of tax returns submitted to the tax agency, some in parallel and some over a period of time.

At (2), the tax agency provides tax return data for one or more consumers to be analyzed for potential fraud to the TRAP system 100. The TRAP system 100 is configured to support either analysis of a single tax return or analysis of multiple tax returns from multiple consumers via high-volume batch-mode processing. The TRAP system 100 may be configured to perform the fraud analysis in various ways and at different stages of the overall process flow as described further below.

At (3A), the TRAP system 100 performs an automated, initial data screening of the tax return data to identify tax returns which may be potentially fraudulent. The initial screening may be performed, for example, by the screening/precise ID module 128 of the TRAP system 100 as illustrated in FIG. 6. The automated initial screening process is described in more detail with reference to block 210 of FIG. 2 herein. At a high level, the initial screening process may involve accessing consumer data (such as consumer data that may be stored in one of the consumer data sources 172) that is generally known to be highly accurate and/or verified, generating consumer attributes (associated with each respective tax return provided by the tax agency), and performing matching, identification, verification, duplicate checking and other screening processes using the consumer attributes. A tax return may be flagged or identified as potentially fraudulent in response to determining, for example, that some consumer attributes associated with the tax return do not match the accessed consumer data.

If the tax agency provides device identifiers associated with the tax return data then at (3B) the TRAP system 100 may optionally perform a device activity analysis (which may also be referred to as device proofing) to further identify tax returns which may be potentially fraudulent. The device proofing process is described in more detail with reference to FIG. 4 herein. At a high level the device proofing process may involve accessing device activity data (such as device activity data that may be stored in one of the device activity data sources 174) using one or more of the provided device identifiers. The device activity data may indicate, for example, whether a particular device has been previously associated with other fraudulent activities. If a particular device associated with one or more of the device identifiers for a particular tax return has been previously associated with other fraudulent activities, the particular tax return may be flagged for potential fraud as well.

At (4), once the TRAP system 100 has completed the initial screen process (and optionally the device proofing process), the TRAP system 100 provides a list of flagged tax returns to the tax agency computing system 100. The list may be a one-to-one correspondence of the tax return data initially provided by the tax agency with only those particular tax returns identified by the TRAP system 100 as potentially fraudulent being flagged as such. In another embodiment, the list may include only those particular tax returns flagged by the TRAP system 100. In one embodiment, the flags may comprise one or more indicators, scores, probability, risk levels, or other information that may indicate a degree to which a respective tax return may be fraudulent. For example, a first tax return may be flagged as “low probability” and further indicate that only one consumer attribute with a low risk rate was found to be non-matching during the initial screening process. In another example, a second tax return may be flagged as “medium probability” and further indicate that several consumer attributes were found to be non-matching or unverified. In another example, a third tax return may be flagged as “high probability” and further indicate that several consumer attributes were found to be non-matching or unverified, as well as indicate that the device used to submit the tax return has been previously associated with other fraudulent activities.

In one embodiment, the tax agency can review and decide which returns to process, deny, or require additional information. For those where the tax agency wants more information which the tax agency can utilize the TRAP system 100 to conduct additional analysis. At (5), the tax agency computing system 168 may direct a flagged consumer to access a website or application provided by the tax agency in order to provide further authentication information necessary to complete processing of the tax return. For example, the tax agency computing system 168 may send a letter, an electronic message, or a text message to the flagged consumer based on the list provided by the TRAP system 100. In some instances the letter or electronic message may be sent automatically once the list is received from the TRAP system 100.

At (6), the consumer accesses the website or the application provided by the tax agency to provide the requested authentication information. The website may be preconfigured to download a script (for example, a JavaScript code or similar) to a computing device used by the consumer to access the website via a web browser, an application, or other program. The script may be provided by the TRAP system 100 to facilitate device proofing with respect to the computing device being used by the consumer to access the website.

At (7), device-related information, which may include one or more device attributes and/or identifiers, associated with the computing device used by the consumer to access the website or the application may be detected, for example by execution of the script or program of the application on the consumer's computing device. In one embodiment, the script or application may be configured to provide the device-related information to the tax agency computing system 100, which may be configured to perform internal processing and/or to forward the device-related information to the TRAP system 100. In another embodiment the script may be configured to provide the device-related information directly to the TRAP system 100. The device-related information may be used to generate a unique device identifier, which may be used, for example, as described herein to access device activity data associated with the unique device identifier. In some embodiments, generation of the unique device identifier may be performed by the TRAP system 100; by an application installed on the computing device used by the consumer (in which case the unique device identifier may be detected as part of the device-related information); or by a third party service that may offer device identity services via one or more application programmatic interfaces (“APIs”).

At (8A), once the device identifiers are received by the TRAP system 100, the system may then perform the device proofing described above and in more detail with reference to FIG. 4 herein. The device proofing may be performed at (8A) to determine whether the computing device used by the consumer to provide the requested authentication information has previously been associated with any fraudulent activity. In some instances, the device proofing at (8A) may be the first time such device proofing is executed, such as would be the case in which the tax agency did not provide device identifiers to the TRAP system 100 with the tax return data at (2) discussed above. In such a scenario, the device proofing may only be applied with respect to the computing device used by the consumer at (6) to access the tax agency website.

However, in another possible scenario, the device proofing at (8A) may be at least the second time such device proofing is executed. For example, an initial device proofing may be performed at (3A) with respect to a first device used by a consumer to submit the tax return electronically to the tax agency computing system 168; and a second device proofing may be performed at (8A) with respect to a second device used by the same consumer at (6) to access the tax agency website. The first device and the second device may or may not be the same device, and as such the initial device proofing and the second device proofing may produce different results. For example, the initial device proofing may provide an indication that the first device is not associated with previous fraudulent activity, whereas the second device proofing may provide an indication that the second device is associated with previous fraudulent activity. This additional round of device proofing, if available, may provide the tax agency with an additional layer of fraud detection, as a fraudster may utilize multiple devices in an attempt to avoid detection.

At (8B), the TRAP system 100 may also initiate a knowledge-based authentication (“KBA”) process in order to further authenticate the consumer and/or to provide further fraud detection back-end support to the tax agency computing system 100. For example, the consumer may be prompted to provide personal information (for example, full name, current and/or prior addresses, and other personally identifying information or “PII”) through the tax agency website. Some or all this personal information may be gathered by the tax agency computing system 168, which may perform internal processing and/or forward the provided personal information to the TRAP system 100. In another embodiment, the personal information may be collected automatically and provided directly to the TRAP system 100, such as via a client-side script downloaded to the consumer's computing device when the tax agency website is accessed.

Once at least some personal information is received at the TRAP system 100, the TRAP system 100 can use the personal information to access consumer data, including credit data, associated with the consumer (for example, from the consumer data sources 172). The TRAP system 100 may then generate further authentication questions (for example, “out of wallet” questions) based on the accessed consumer data. For example, out of wallet questions may be generated in order to solicit responses that include information highly likely to only be known by the consumer (and/or unlikely to be known by a fraudster) which would not be found in the consumer's wallet, such as a monthly payment amount on an outstanding debt obligation which may appear in the consumer's credit data.

At (9), the TRAP system 100 provides the out-of-wallet or other authentication questions and receives and processes the responses. The questions may be provided directly to the consumer computing device, such as via a client side script downloaded to the consumer computing device when accessing the tax agency's authentication website. For example, a client side script may be provided by the TRAP system 100 to the tax agency computing system 168 for inclusion in the website. The client side script may be configured to retrieve personal information as it is entered by the consumer into a form on the website; send the personal information to the TRAP system 100; receive one or more authentication questions; and present the questions to the consumer for further authentication. The client side script may be further configured to collect responses to the presented questions and send the responses directly to the TRAP system 100. After the TRAP system 100 receives the responses, it processes them to determine whether they are accurate with respect to the accessed consumer data.

At (10), the TRAP system 100 provides one or more indicators of potential fraud (for example, scores and the like) to the tax agency computing system 168 based on any combination of the various fraud detection processes described throughout FIG. 1. For example, indicators may be provided for each of the initial screening, the first device proofing (if performed), the second device proofing, and the KBA process (including for example indicators of whether and/or how many questions were answered correctly). In one embodiment, a composite or aggregate tax return fraud score may be provided, wherein the fraud score may be generated based at least in part on any of the component fraud indicators described herein. The tax agency may then use the one or more indicators, and/or the aggregate tax return fraud score, to make a determination as to whether the tax return should be processed, denied, approved, or flagged for further follow-up.

Examples of Processes Performed by TRAP systems

FIGS. 2, 3, 4, and 5 are flowcharts illustrating various embodiments of TRAP system processes. In some implementations, the processes are performed by embodiments of the TRAP system 100 described with reference to FIG. 6 and/or by one of its components, such as the such as the authentication module 122, the data partition and security module 126, the screening/precise ID module 128, the device activity analysis module 132, and/or the fraud detection module 134. For ease of explanation, the following describes the services as performed by the TRAP system 100. The example scenarios are intended to illustrate, but not to limit, various aspects of the TRAP system 100. In one embodiment, the processes can be dynamic, with some procedures omitted and others added.

Initial Tax Fraud Screening

FIG. 2 is a flowchart illustrating one embodiment of a process 200 for performing an initial tax fraud screening of one or more tax returns, which may be run by one embodiment of the TRAP system 100 of FIG. 6. The process 200 may be performed by the TRAP system 100 separately or in conjunction with, for example, the process 300 of FIG. 3, the process 400 of FIG. 4, and/or the process 500 of FIG. 5. For ease of explanation certain portions of the description below describes the process with respect to an individual consumer and an individual tax return. However the process may also be applied similarly to a plurality of consumers and/or a plurality of tax returns separately and/or in parallel, such as in batch processing of multiple thousands or millions of tax returns.

The process 200 begins at block 205, where the TRAP system 100 (for example, via the data partition and security module 126 of FIG. 6) accesses (or receives) a list of encrypted consumer tax return data. The tax return data may be provided by a tax agency to the TRAP system in order to perform an initial fraud screening of one or more consumer tax returns. In one embodiment the tax return data may be accessed from the tax return data source(s) 170 by the tax agency computing system 168 and provided to the TRAP system 100. In another embodiment, the TRAP system 100 may be granted permission to access the tax return data source 170 directly. As described with reference to FIG. 1 the tax return data may also include device identifiers that may be associated with respective tax returns.

At block 210, for each consumer identified in the tax return data, the TRAP system 100 (for example, via the screening/precise ID module 128) performs an initial screening (for example, data matching, data verification, identifying duplicates, and so forth) based on the attributes associated with each respective tax return. Various attributes may be screened including but not limited to name, address, date of birth, social security number (“SSN”), driver license, phone number (wireless or landline), bank account number(s), and/or IP address. Other attributes not expressly listed herein may also be used. To perform the initial screening, the TRAP system 100 may access consumer data from consumer data source(s) 172, wherein the consumer data may be accessed using at least some of the consumer attributes associated with respective tax returns. For example, one attribute of a tax return may include a social security number (or other unique consumer identifiers), which the TRAP system 100 may then use to access consumer data associated with the social security number (or other unique consumer identifiers). The screening process may generate, for example, a validation score which predicts the likelihood that the identification information supplied (for example, name, address, SSN, phone number, date-of-birth, and so forth) is a valid combination which has been seen previously within one or multiple data sources. The screening process may also generate, for example, an ID Theft Score that predicts the likelihood that the application is originating from the true consumer.

The screening process at block 210 may involve checking or addressing multiple attributes of each tax return, including for example: whether the SSN is valid; whether the name on the return matches the SSN provided; whether the tax filer exists in any data records at all; whether the address on the return matches the tax filer's current address; whether the SSN is associated with a deceased person; whether the address is valid or if it corresponds to an institution, a vacant lot, or some other invalid location; whether the return address on the tax return is in a state where the tax filer has never resided (for example, based on past address history which may be contained in the tax filer's credit data); whether there is any indication of fraud within the tax filer's credit data; whether multiple returns are identified as going to the same address; and/or whether joint filers as stated on the return are actually connected to each other (for example, spouses, domestic partners, and so forth)

Next, at block 215, the TRAP system 100 determines whether any device identifiers associated with respective tax returns with the tax return data have been provided and/or are available in order to facilitate an initial device proofing. In response to determining that device identifiers are provided or available the process 200 may proceed to block 220. In response to determining that no device identifiers are provided or available the process 200 may proceed to block 225.

At block 220, the TRAP system 100 (for example, via the device activity analysis module 132) may optionally perform an initial device activity screening (for example, device proofing) using any device identifiers associated with respective tax returns which have been provided to or accessed by the TRAP system 100. The device proofing process is described in more detail with reference to FIG. 4 herein. At a high level the device proofing process performed at block 220 may involve accessing device activity data (such as device activity data that may be stored in one of the device activity data sources 174, including as a lookup table which may further include blacklist information for one or more devices) using one or more of the device identifiers. The device activity data may indicate, for example, whether a particular device has been previously associated with other fraudulent activities or is associated with other devices which may have been involved in past fraud. If a particular device associated with one or more of the device identifiers for a particular tax return has been previously associated with other fraudulent activities, the particular tax return may be flagged for potential fraud as well.

Once the initial device activity screening at block 220 has been completed, or in response to determining that no device activity screening need be performed at this stage of the tax fraud analysis, the process 200 proceeds to block 225. At block 225, the TRAP system 100 (for example, via the fraud detection module 134) identifies or flags consumers and/or tax returns for possible fraud, based at least in part on the initial screening performed at block 210 and/or the device activity screening performed at block 220. The flags or indicators may include for example, a plurality of indicators for individually identified items from each of the items checked in the initial screening process at block 210 and/or the device activity screening performed at block 220; one or more indicators representing aggregate or overall fraud indicators for particular categories, such as an initial screening fraud score, a device fraud score; an overall fraud score; or any other variant or combination thereof.

At block 230, the TRAP system 100 provides the list of flagged consumer tax returns and possible fraud indicators. This list may be provided, for example, to the particular tax agency which provided the tax return data for fraud analysis. The tax agency may then use the list of flagged tax returns in order to initiate further authentication of consumers who filed the flagged tax returns before completing the processing of those returns, and other purposes as described herein.

In one embodiment, the TRAP system 100 may store at least some identifying information related to flagged tax returns for possible retrieval and continued fraud analysis processes as will be described further below. Otherwise, the TRAP system 100 promptly and securely destroys or removes the tax return data once the process 200 has been completed in order to ensure privacy and maintain compliance with any regulatory requirements with respect to tax return data which may limit the purpose, use or duration under which such data may be held by non-tax agency entities.

Additional Tax Fraud Analysis

FIG. 3 is a flowchart illustrating one embodiment of a process 300 for performing a device activity analysis and/or a knowledge-based authentication process with respect to a consumer asked to provide further authentication information for a tax return flagged as potentially fraudulent, which may be run by one embodiment of the TRAP system of FIG. 6. The process 300 may be performed by TRAP system 100 separately or in conjunction with, for example, the processes 400 of FIG. 4 and/or the process 500 of FIG. 5.

At block 305, the TRAP system 100 (for example, via the device activity analysis module 132) accesses or receives the device identifiers associated with a device used by the consumer to provide identity authentication information for a flagged tax return. For example, in one embodiment, the process 300 may be performed in response to the consumer accessing a website (or using a software application or “app”) provided by the tax agency to provide requested further authentication information in order to complete processing of a tax return filed by the consumer. The website or app may be configured to download a client-side script to the computing device used by the consumer to access the website or app, wherein the client-side script is configured to execute automatically in order to gather device identifiers associated with the consumer's computing device. These device identifiers may be collected and sent either to the tax agency computing system 168, which may in turn provide them to the TRAP system 100 for further fraud analysis; or the device identifiers may be provided directly to the TRAP system 100.

Next at block 310, the TRAP system 100 accesses and analyzes device activity data to identify potentially fraudulent activity that may be associated with the device used by the consumer to provide the requested identity authentication information. The device proofing process is described in more detail with reference to FIG. 4 herein.

At block 315, the TRAP system 100 (for example, the authentication module 122) performs or initiates a knowledge-based authentication (“KBA”) process to further authenticate the consumer. The KBA process is described in more detail with reference to FIG. 5 herein.

In one embodiment, at least some identifying information usable to initially determine an identity of the consumer may be provided to the TRAP system 100. For example, some identifying information may be provided to the TRAP system 100 as follows: when the TRAP system performs the initial screening process described previously, a temporary encrypted identifier may be generated and associated with a flagged return and provided to the tax agency computing system 168. The tax agency computing system 168 may then include the temporary encrypted identifier along with the request to the consumer to access the website or app to provide further authentication information. The encrypted identifier may be provided, for example, as part of a unique access identifier the consumer may be prompted to enter at the website, or embedded in a unique URL or hyperlink the consumer may use to access the website. Once the consumer visits the website, the encrypted identifier may be detected and retrieved, for example as part of the client-side script configured to collect device identifier data, and eventually provided back to the TRAP system 100. The encrypted identifier may then be decrypted and used to determine, for example, either that the consumer is associated with a previously-flagged tax return or to obtain at least some initially identifying information such as a name or other non-sensitive data that may be used to initiate the KBA process.

In another embodiment, as the consumer provides personal information (for example, via the website or app), the personal information may be provided directly or indirectly (for example, via the tax agency computing system 168) to the TRAP system 100. When enough identifying information is received to at least initially determine an identity of the consumer, the TRAP system 100 may access verified consumer data associated with the determined identity, such as credit data, from the consumer data sources 172 in order to generate authentication questions.

At block 320, the TRAP system 100 may optionally access previously screened tax return data to determine whether the consumer and/or the tax return were previously flagged for potential fraud, and/or to what extent such potential fraud may be been previously determined. In some embodiments this data may not be available to the TRAP system 100 or available only in a limited fashion which protects the privacy and security of the underlying tax return data. One embodiment that may permit storage and retrieval of at least the fraud indicators generated by the TRAP system 100 during the initial screening process 200 may involve the use of encrypted identifiers as described above.

Finally, at block 325, the TRAP system 100 provides one or more indicators of the potential fraud for the flagged tax return, based at least in part on: the device activity analysis performed at block 310, the KBA process performed at block 315, and/or the initial screening flag accessed at block 320 (if applicable). For example, the provided indicators may include an indication of whether the computing device has been previously associated with other fraudulent activities; a degree or level of risk that may be associated with such other fraudulent activities; an indicator of whether and/or how many authentication questions were answered correctly by the consumer; an indicator of whether and/or to what extent the tax return may have previously been flagged for potential fraud during the initial screening described in reference to process 200; an overall fraud score, range, number, letter, and so forth that may be generated in the aggregate or for each individually flagged item; and so forth.

Device Activity Analysis

FIG. 4 is a flowchart illustrating one embodiment of a process 400 for performing a device activity analysis which may be run by one embodiment of the TRAP system of FIG. 6. The process 400 may be performed by TRAP system 100 separately or in conjunction with, for example, the process 300 of FIG. 3.

The process 400 begins at block 405, where the TRAP system 100 (for example, via the device activity analysis module 132) accesses device activity data associated with a device, for example using a unique device identifier. The unique device identifier may be generated or determined, for example, based on the one or more device identifiers accessed at block 305 of FIG. 3. The unique device identifier may be one of the accessed device identifiers, or it may be based on some combination of some or all of the accessed device identifiers.

At block 410, the TRAP system 100 determines whether one or more fraudulent or potentially fraudulent activities are associated with the device based on the accessed device activity. The device activity analysis process performed at block 410 may involve accessing device activity data (such as device activity data that may be stored in one of the device activity data sources 174) using one or more of the device identifiers. The device activity data may indicate, for example, whether a particular device has been previously associated with other fraudulent activities or whether a device is in a blacklist. If a particular device associated with one or more of the device identifiers has been previously associated with other fraudulent activities, the particular device may be flagged for potential fraud as well.

Next, at block 415, the TRAP system 100 determines whether any fraudulent activities are associated with the device. In response to determining that no fraudulent activities appear to be associated with the device the process 400 may proceed to block 420. In response to determining that fraudulent activities are associated with the device the process 400 may proceed to block 425.

At block 420, the TRAP system 100 provides an indicator that the device is authenticated or otherwise does not appear to be associated with prior fraudulent activities.

At block 425, the TRAP system 100 provides at least one indicator (for example, a score, a flag, or other indicator) to describe the possible involvement of the device in the fraudulent activities. In one embodiment, the TRAP system 100 may also provide or enable access to a dashboard user interface that allows users to fully research and link seemingly unrelated events. The capability provided by the dashboard user interface can have a multiplying effect on the ability to detect fraud because, for example, the residue left by fraudsters across different transactions or accounts can be linked together for more precise detection of fraud rings.

Knowledge-Based Authentication Process

FIG. 5 is a flowchart illustrating one embodiment of a process 500 for performing a knowledge-based authentication process which may be run by one embodiment of the TRAP system of FIG. 6. The process 500 may be performed by TRAP system 100 separately or in conjunction with, for example, the process 300 of FIG. 3.

The process 500 begins at block 505, where the TRAP system 100 (for example, via the authentication module 122) access consumer data, such as credit data or a credit report, associated with the consumer (for example, from the consumer data sources 172).

At block 510, the TRAP system 100 generates one or more authentication questions (for example, “out of wallet” questions) based on the accessed consumer data in order to further authenticate the user. For example, out of wallet questions may be generated in order to solicit responses that include information highly likely to only be known by the consumer (and/or unlikely to be known by a fraudster), such as a monthly payment amount on an outstanding debt obligation which may appear on the consumer's credit report, the name or address of a particular loan servicer, the date that the last payment was posted to a credit account, and so on.

Next, at block 515, the TRAP system 100 provides the out-of-wallet or other authentication questions. The questions may be provided by the TRAP system 100 directly to the consumer computing device, such as via a client side script downloaded to the consumer computing device when accessing the tax agency's authentication website. For example, a client side script may be provided by the TRAP system 100 to the tax agency computing system 168 for inclusion in the website. The client side script may be configured to retrieve personal information as it is entered by the consumer into a form on the website; send the personal information to the TRAP system 100; receive one or more authentication questions from the TRAP system 100; and present the questions to the consumer for further authentication. The client side script may be further configured to collect responses to the presented questions and send the responses directly to the TRAP system 100.

At block 520, the TRAP system 100 receives/processes responses to the authentication questions. The responses are processed to determine whether they are accurate with respect to the accessed consumer data.

At block 525, the TRAP system 100 provides an indicator of whether and/or how many responses were correct. This information may be provided to the tax agency computing system 168 which can then use the information to determine whether the tax return should be denied, approved, or flagged for further follow-up.

Example System Implementation and Architecture

FIG. 6 is a block diagram of one embodiment of a tax return analysis platform (“TRAP”) system 100 in communication with a network 160 and various systems, such as consumer computing device(s) 162, tax agency computing systems(s) 168, tax return data source(s) 170, consumer data source(s) 172, and device activity data source(s) 174. The TRAP system 100 may be used to implement systems and methods described herein, including but not limited to the processes 200, 300, and 400 of FIGS. 2, 3, 4, and 5 respectively.

TRAP System

In the embodiment of FIG. 6, the TRAP system 100 includes an authentication module 122, an interface module 124, a data partition and security module 126, a screening/precise ID module 128, a device activity analysis module 132, and a fraud detection module 134 that may be stored in the mass storage device 120 as executable software codes that are executed by the CPU 150. These and other modules in the TRAP system 100 may include, by way of example, components, such as software components, object-oriented software components, class components and task components, processes, functions, attributes, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables. In the embodiment shown in FIG. 6, the TRAP system 100 is configured to execute the modules recited above to perform the various methods and/or processes for tax filing data analysis as described herein (such as the processes described with respect to FIGS. 2, 3, 4, and 5 herein).

The authentication module 122 provides capabilities related to the knowledge-based authentication processes described, for example, with reference to FIGS. 3 and 5 herein. For example, the authentication module 122 may be configured to access the consumer data sources 172; generate authentication questions to be presented to a consumer asked to provide further authentication information for a tax return flagged as potentially fraudulent; receive and process responses; and provide indications of the accuracy of responses.

The interface module 124 provides capabilities related to interfacing between the TRAP system 100, the tax agency computing systems 168, and various data sources 170 (if applicable), 172, and 174. For example, the interface module 124 may be configured to provide various client-side scripts to the tax agency which may in turn be installed as part of a web service provided by the tax agency for consumers to access in order to further authenticate for a tax return. The interface module 124 may further be configured to receive data via the client-side scripts or from the tax agency computing systems for further processing by the various other modules described herein.

The data partition and security module 126 provides capabilities related to ensuring that tax return data accessed or received from various tax agency systems 168 and/or tax return data sources 170 are strictly separated or partitioned to maintain data privacy for each respective tax agency. In some embodiments the data partition and security module 126 may also be configured to ensure that the tax return data is promptly and securely destroyed or removed from the memory 130 and/or mass storage 120 of TRAP system 100 once the tax return data fraud analysis process(es) have completed.

The screening/precise ID module 128 provides capabilities related to performing identity screening and related routines, for example on tax returns provided by tax agency computing systems to the TRAP system 100 for fraud analysis. Some of these processes are described, with reference to FIG. 2 herein and may include, for example, matching and/or verifying consumer attributes associated with a tax return against verified consumer data accessed from the consumer data sources 172; identifying discrepancies in consumer attributes which may signal potential fraud, such as the use of a prior address rather than a current address; and similar types of screening.

The device activity analysis module 132 provides capabilities related to performing “device proofing” to determine whether a device used by a consumer during any part of the tax return process (for example, either filing/submitting the tax return or providing further information that may be required by the tax agency in order to complete processing of the tax return, and so on). Some of these processes are described, with reference to FIGS. 3 and 4 herein and may include, for example, accessing device activity data from the device activity data sources 174; determining whether fraudulent activities may be associated with the device; and providing indicators for the tax agency computing system regarding the likelihood that the device used by the consumer may have been previously used for other fraudulent activities.

The fraud detection module 134 provides capabilities related to those described with respect to the authentication module 122, the screening/precise ID module 128, and/or the device activity/analysis module 132. For example, the fraud detection module 134 may receive outputs from these various other modules and use the output to generate fraud indicator information (for example, a plurality of indicators for individually identified items from each of the modules involved in the fraud analysis process; one or more indicators representing aggregate or overall fraud indicators for particular categories, such as an initial screening fraud score, a device fraud score, and/or a KBA fraud score; an overall fraud score; or any other variant or combination thereof).

The TRAP system 100 includes, for example, a server, workstation, or other computing device. In one embodiment, the exemplary TRAP system 100 includes one or more central processing units (“CPU”) 150, which may each include a conventional or proprietary microprocessor. The TRAP system 100 further includes one or more memories 130, such as random access memory (“RAM”) for temporary storage of information, one or more read only memories (“ROM”) for permanent storage of information, and one or more mass storage device 120, such as a hard drive, diskette, solid state drive, or optical media storage device. Typically, the modules of the TRAP system 100 are connected to the computer using a standard based bus system. In different embodiments, the standard based bus system could be implemented in Peripheral Component Interconnect (“PCI”), Microchannel, Small Computer System Interface (“SCSI”), Industrial Standard Architecture (“ISA”) and Extended ISA (“EISA”) architectures, for example. In addition, the functionality provided for in the components and modules of TRAP system 100 may be combined into fewer components and modules or further separated into additional components and modules.

The TRAP system 100 is generally controlled and coordinated by operating system software, such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows Server, Unix, Linux, SunOS, Solaris, iOS, Blackberry OS, or other compatible operating systems. In Macintosh systems, the operating system may be any available operating system, such as MAC OS X. In other embodiments, the TRAP system 100 may be controlled by a proprietary operating system. Conventional operating systems control and schedule computer processes for execution, perform memory management, provide file system, networking, I/O services, and provide a user interface, such as a graphical user interface (“GUI”), among other things.

The exemplary TRAP system 100 may include one or more commonly available input/output (I/O) devices and interfaces 110, such as a keyboard, mouse, touchpad, and printer. In one embodiment, the I/O devices and interfaces 110 include one or more display devices, such as a monitor, that allows the visual presentation of data to a user. More particularly, a display device provides for the presentation of GUIs, application software data, and multimedia analytics, for example. The TRAP system 100 may also include one or more multimedia devices 140, such as speakers, video cards, graphics accelerators, and microphones, for example.

Network

In the embodiment of FIG. 6, the I/O devices and interfaces 110 provide a communication interface to various external devices. In the embodiment of FIG. 6, the TRAP system 100 is electronically coupled to a network 160, which comprises one or more of a LAN, WAN, and/or the Internet, for example, via a wired, wireless, or combination of wired and wireless, communication link. The network 160 communicates with various computing devices and/or other electronic devices via wired or wireless communication links.

According to FIG. 6, in some embodiments information may be provided to or accessed by the TRAP system 100 over the network 160 from one or more tax return data sources 170, consumer data source(s) 172, and/or device activity data source(s) 174. The tax return data source(s) 170, consumer data source(s) 172, and/or device activity data source(s) 174 may include one or more internal and/or external data sources. In some embodiments, one or more of the databases or data sources may be implemented using a relational database, such as Sybase, Oracle, CodeBase and Microsoft® SQL Server as well as other types of databases such as, for example, a flat file database, an entity-relationship database, and object-oriented database, and/or a record-based database.

Tax Return Data Sources

The tax return data source(s) 170 may store, for example, tax return data including attributes, profiles, and other data descriptive of or related to tax return filings. The tax return data may include name, address, social security number, financial data related to the return, and other such information typically provided in a local or state tax return filing. In some embodiments, due to the sensitive nature of such tax return data, the TRAP system 100 may not have direct access to the tax return data source(s) 170. Rather, the tax agency computing system(s) 168 would have access to their own respective tax return data sources 170 and provide selected tax return data to the TRAP system 100. In some embodiments the TRAP system 100 may have at least a limited access permission (as indicated by the dashed line connecting network 160 to the tax return data sources 170) which may be allowed by the tax agency or under various laws and regulatory requirements which limit access to such data by non-tax agency or non-government entities.

Consumer Data Sources

The consumer data source(s) 172 may store, for example, credit bureau data (for example, credit bureau data from File Ones℠) and/or other consumer data. Consumer data source(s) 172 may also store geographic level demographics that include one or more models, such as models that identify lifestyle and/or socio-economic attributes associated with a geographic location (for example, MOSAIC® segmentation and/or codes) and/or behavioral/attitudinal/psychographic attributes associated with a geographic location (for example, TrueTouch℠ Touch Points segmentation).

Device Activity Data Sources

The device activity data source(s) 174 may store, for example, device activity data for respective computing devices. The device activity data may include among other things indications of fraudulent activities that may be associated with particular device identifiers. For example, a fraudster may use a device to engage in a fraudulent transaction online, and thus the transaction and a device identifier associated with the device may be collected and stored in a device activity data source 174. Such information may be extremely valuable to prevent future repeat fraud with the same device, such as if a potential tax fraudster attempts to use the device in relation to filing of a fraudulent tax return.

Additional Use Cases

In some embodiments, the systems and methods maybe used to provide a variety of features, such as the features described below.

Risk Based Versus Traditional Rules Based Tax Return Analysis

One aspect of the identity authentication or screening processes described herein is that the processes may be based upon data and analytics used in the financial industry to approve millions of credit transactions daily. In some instances authentication tools may be certified under Federal Identity, Credential and Access Management (“FICAM”) at a National Institute of Standards and Technology (“NIST”) Level of Assurance (“LOA”) 3 for virtual identity authentication. Such authentication tools help organizations to mitigate risk in billions of dollars in credit transactions, the majority of which are done electronically and in virtual anonymity. One strength of these authentication tools is the ability to not only use traditional identity verification checks based upon public records review, but the addition of a risk based process providing an identity fraud score which significantly lowers the number of false positives. The most predictive authentication and fraud scores are those that incorporate multiple data assets spanning traditionally used customer information categories, such as public records and demographic data, but also utilize, when possible, credit history attributes and historical application and inquiry records. Scores that incorporate a breadth of varied data categories such as credit attributes and demographic data typically outperform models built on singular categories of data such as public record assets.

Knowledge-Based Authentication

In addition, to verify a tax filer's identity, further authentication of those returns that are identified or flagged as suspect or potentially fraudulent may be implemented to provide greater assurance that the tax refund is released to the legitimate taxpayer. In conjunction with a risk-based identity proofing process, the tax refund fraud detection process can be further strengthened by use of a knowledge based authentication (“KBA”) process, which often include “Out of Wallet” questions. The tax filer is required to answer a list of questions correctly in order to receive the requested refund. In certain embodiments, challenge-response question technology can be used to dynamically formulate questions only the true tax payer would know. With an adjustable question configuration and the ability to change strategies for each inquiry, tax agencies may be well-suited to achieve their identity verification or fraud prevention and detection objectives with various levels of authentication. Configurable time limits can prevent fraudsters from researching answers during faceless interactions, and the use of both credit and non-credit related questions provide a more accurate picture of the consumer and further assure that the refund is being released to the legitimate taxpayer. The KBA processes described herein may be provided, for example, via a web site or app.

Device Identity Proofing

Many tax filings are now conducted electronically, which further preserves anonymity for the fraudster and allows for a quicker turn around in receiving the fraudulent refund. Individuals committing tax fraud will typically use the same computer to submit tax returns, submit credit applications, open accounts, and so forth. Device proofing capabilities offered by embodiments of the systems and methods described herein can authenticate the device being used to provide additional assurance that the device is not currently involved in or tied to other fraudulent activity, nor has it been involved in or tied to any past fraudulent activity.

Fraud Detection in Other Financial Transactions

A stolen identity has a short shelf life, and fraudsters frequently will try to utilize it for multiple transactions before it is abandoned. Thus, in some embodiments, an inquiry process that utilizes a complex set of algorithms may determine if the attributes of the identity used in the tax return have been involved in other fraudulent attempts to open accounts or secure lines of credit. This independent inquiry check based on the same identity credentials being used to submit the fraudulent tax return can help identify if the fraudster has attempted to use these same credentials in other credit related activities.

Returns Linked to Multiple Bank Accounts and Addresses

One of the weaknesses in the tax filing system which is exploited by income tax fraudsters is the government's need to quickly process returns and provide refunds. Tax returns are frequently processed and refunds released within a few days or weeks. This quick turnaround may not allow the government to fully authenticate all the elements submitted on returns. Current fraud detection processes does not detect addresses or bank accounts that are receiving multiple refunds. Most income tax refund fraudsters want easy access to their fraudulent refunds and thereby chose to have the refund placed on a debit card and sent to one or two of the same addresses or deposited into one or two accounts. Having large numbers of debit card sent to the same address or refunds deposited into one account is not normal behavior for legitimate tax filers, and thus evidence of such behavior can also be used as a fraudulent flag indicator in the return analysis process.

Thus, in one embodiment, the TRAP system 100 may be configured to analyze tax return filings to, for example, determine whether a same address is used multiple times across multiple tax returns. The TRAP system 100 also may be configured to analyze tax return filings to, for example, determine whether a same bank account is used multiple times across multiple tax returns. In another embodiment, the TRAP system 100 may be configured to combine both of these features to determine whether a same address is used in conjunction with a same bank account across multiple tax returns. Any one of these determinations, alone or in combination, may contribute or give rise to a fraudulent flag indicator. In another embodiment, as another fraud safeguard the TRAP system 100 may be configured to access verified bank account data (for example, under permission from a participating bank service provider), or be configured to request verification of a bank account with respect to the individual tax filer. Thus, for example, if one or more tax returns appear potentially fraudulent based on repeated use of a same address or a same bank account, the TRAP system 100 may be configured to perform an additional bank account verification process to verify whether the tax filer(s) associated with the suspect return(s) are verified account holders with respect to the bank accounts used on the suspected return(s).

Income Check Against Reported Adjusted Gross Income (“AGI”)

As described above, the income tax refund fraudster can use a variety of methods to obtain a consumer's name, address, and Social Security Number. However, it is not as easy for a fraudster to obtain information on an individual's income. According to TIGTA, access to third-party income and withholding information at the time tax returns are processed can be an important tool in identifying and preventing tax refund fraud. Unfortunately, this information is usually not available until well after tax filing season begins, since employers are not required to file W-2 information until after the consumer filing process begins. The amounts listed on fraudulent returns can thus be falsified by the fraudster in order to increase the ultimate number of deductions and extract the largest refund without arousing suspicion. In some instances, using income estimation models, the reported income can be checked against third party data not based upon previous years' returns, but, independent financial information which can take into account a consumer's credit history and recent spending habits. While not a report of the actual income, it can provide a gauge that can be used to flag returns where reported income is well outside the expected norm for that tax filer.

The use of a risk based identity authentication process, coupled with business rules based analysis and knowledge based authentication tools can facilitate identification of fraudulent tax returns. In addition, the ability to perform non-traditional checks against device fraud activity; the use by fraudsters of same identity credentials in independent financial transactions; detecting that multiple refunds are requested to be to sent to the same address or deposited into the same bank account; and the ability check the reported income against an individual consumer's estimated income, further strengthens the tax refund fraud detection processes and helps close additional loopholes exploited by the tax fraudster while at the same time decreasing the number of false positives. Embodiments of the tax return analysis platform system and methods described herein may be easy to implement, integrate seamlessly into any existing tax return evaluation process, and/or add little to no additional time to the existing process, thereby assuring a continued quick turnaround for legitimate tax refund releases, while at the same time providing increased assurance that the refunds are being provided to the legitimate tax payer.

Other Embodiments

Each of the processes, methods, and algorithms described in the preceding sections may be embodied in, and fully or partially automated by, code modules executed by one or more computer systems or computer processors comprising computer hardware. The code modules may be stored on any type of non-transitory computer-readable medium or computer storage device, such as hard drives, solid state memory, optical disc, and/or the like. The systems and modules may also be transmitted as generated data signals (for example, as part of a carrier wave or other analog or digital propagated signal) on a variety of computer-readable transmission mediums, including wireless-based and wired/cable-based mediums, and may take a variety of forms (for example, as part of a single or multiplexed analog signal, or as multiple discrete digital packets or frames). The processes and algorithms may be implemented partially or wholly in application-specific circuitry. The results of the disclosed processes and process steps may be stored, persistently or otherwise, in any type of non-transitory computer storage such as, for example, volatile or non-volatile storage.

In general, the word “module,” as used herein, refers to logic embodied in hardware or firmware, or to a collection of software instructions, possibly having entry and exit points, written in a programming language, such as, for example, Java, Lua, C or C++. A software module may be compiled and linked into an executable program, installed in a dynamic link library, or may be written in an interpreted programming language such as, for example, BASIC, Perl, or Python. It will be appreciated that software modules may be callable from other modules or from themselves, and/or may be invoked in response to detected events or interrupts. Software modules configured for execution on computing devices may be provided on a computer readable medium, such as a compact disc, digital video disc, flash drive, or any other tangible medium. Such software code may be stored, partially or fully, on a memory device of the executing computing device, such as the TRAP system 100, for execution by the computing device. Software instructions may be embedded in firmware, such as an EPROM. It will be further appreciated that hardware modules may be comprised of connected logic units, such as gates and flip-flops, and/or may be comprised of programmable units, such as programmable gate arrays or processors. The modules described herein are preferably implemented as software modules, but may be represented in hardware or firmware. Generally, the modules described herein refer to logical modules that may be combined with other modules or divided into sub-modules despite their physical organization or storage.

The various features and processes described above may be used independently of one another, or may be combined in various ways. All possible combinations and subcombinations are intended to fall within the scope of this disclosure. In addition, certain method or process blocks may be omitted in some implementations. The methods and processes described herein are also not limited to any particular sequence, and the blocks or states relating thereto can be performed in other sequences that are appropriate. For example, described blocks or states may be performed in an order other than that specifically disclosed, or multiple blocks or states may be combined in a single block or state. The example blocks or states may be performed in serial, in parallel, or in some other manner. Blocks or states may be added to or removed from the disclosed example embodiments. The example systems and components described herein may be configured differently than described. For example, elements may be added to, removed from, or rearranged compared to the disclosed example embodiments.

Conditional language used herein, such as, among others, “can,” “could,” “might,” “may,” “for example,” and the like, unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain embodiments include, while other embodiments do not include, certain features, elements and/or steps. Thus, such conditional language is not generally intended to imply that features, elements and/or steps are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without author input or prompting, whether these features, elements and/or steps are included or are to be performed in any particular embodiment. The terms “comprising,” “including,” “having,” and the like are synonymous and are used inclusively, in an open-ended fashion, and do not exclude additional elements, features, acts, operations, and so forth. Also, the term “or” is used in its inclusive sense (and not in its exclusive sense) so that when used, for example, to connect a list of elements, the term “or” means one, some, or all of the elements in the list. Conjunctive language such as the phrase “at least one of X, Y and Z,” unless specifically stated otherwise, is otherwise understood with the context as used in general to convey that an item, term, etc. may be either X, Y or Z. Thus, such conjunctive language is not generally intended to imply that certain embodiments require at least one of X, at least one of Y and at least one of Z to each be present.

While certain example embodiments have been described, these embodiments have been presented by way of example only, and are not intended to limit the scope of the disclosure. Thus, nothing in the foregoing description is intended to imply that any particular element, feature, characteristic, step, module, or block is necessary or indispensable. Indeed, the novel methods and systems described herein may be embodied in a variety of other forms; furthermore, various omissions, substitutions and changes in the form of the methods and systems described herein may be made without departing from the spirit of the inventions disclosed herein. The accompanying claims and their equivalents are intended to cover such forms or modifications as would fall within the scope and spirit of certain of the inventions disclosed herein.

Any process descriptions, elements, or blocks in the flow diagrams described herein and/or depicted in the attached figures should be understood as potentially representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps in the process. Alternate implementations are included within the scope of the embodiments described herein in which elements or functions may be deleted, executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those skilled in the art.

All of the methods and processes described above may be embodied in, and partially or fully automated via, software code modules executed by one or more general purpose computers. For example, the methods described herein may be performed by the TRAP system 100 and/or any other suitable computing device. The methods may be executed on the computing devices in response to execution of software instructions or other executable code read from a tangible computer readable medium. A tangible computer readable medium is a data storage device that can store data that is readable by a computer system. Examples of computer readable mediums include read-only memory, random-access memory, other volatile or non-volatile memory devices, CD-ROMs, magnetic tape, flash drives, and optical data storage devices.

It should be emphasized that many variations and modifications may be made to the above-described embodiments, the elements of which are to be understood as being among other acceptable examples. All such modifications and variations are intended to be included herein within the scope of this disclosure. The foregoing description details certain embodiments of the invention. It will be appreciated, however, that no matter how detailed the foregoing appears in text, the invention can be practiced in many ways. As is also stated above, it should be noted that the use of particular terminology when describing certain features or aspects of the invention should not be taken to imply that the terminology is being re-defined herein to be restricted to including any specific characteristics of the features or aspects of the invention with which that terminology is associated. 

What is claimed is:
 1. A computer-implemented method under control of one or more computer systems configured with executable instructions, the method comprising: sending an electronic request, to a remote tax agency server via a network interface, for a first tax return data, the remote tax agency server comprising a first electronic data store configured to store a plurality of tax return data associated with a plurality of consumers and at least one tax agency; receiving, from the remote tax agency server via the network interface, the first tax return data associated with a first tax return of a first consumer, the first tax return data including one or more individual consumer attributes associated with the first consumer; accessing, from a second electronic data store, electronic consumer data records associated with the plurality of consumers; determining whether the first tax return data is potentially fraudulent based at least in part on the one or more consumer attributes associated with the first consumer and the first consumer data; upon determining that the first tax return data is potentially fraudulent: sending, to the first consumer, a request for additional information associated with the first tax return data, the request comprising a link configured to automatically gather device identification information when accessed via a device; establishing an electronic communication with a first device in response to the first consumer responding to the request for additional information and accessing the link, the first device associated with the first consumer; receiving, from the first device, device identification information of the first device via the link; receiving, from the first device, personal information associated the first consumer, the personal information provided by the first consumer via the first device; identifying a first consumer data associated with the first consumer from the electronic consumer data records based at least in part on the personal information; generating a unique device identifier of the first device based on the device identification information; determining, based at least in part on the unique device identifier and the first consumer data, whether the first device associated with the first consumer has previously been associated with a fraudulent activity; and upon determining that the first device associated with the first consumer has previously been associated with a fraudulent activity, performing authentication of the first device associated with the first consumer based at least in part on the personal information associated with the first consumer.
 2. The computer-implemented method of claim 1, wherein determining whether the first tax return data is potentially fraudulent comprising: determining one or more consumer attributes from the first consumer data; comparing the one or more consumer attributes from the consumer data with one or more individual consumer attributes from the first tax return; and determining whether the one or more consumer attributes from the consumer data do not match with one or more individual consumer attributes from the first tax return.
 3. The computer-implemented method of claim 1, wherein performing authentication of the first device comprising: generating a set of one or more authentication questions; transmitting, to the first device, the set of one or more authentication questions; receiving, from the first device, a set of one or more responses to the set of one or more authentication questions; and determining, based on the set of one or more responses, whether the set of one or more responses are correct.
 4. The computer-implemented method of claim 1, wherein the first device associated with the first consumer is the same as or different from a device used to electronically submit the first tax return of the first consumer.
 5. The computer-implemented method of claim 1, wherein the first tax return data further comprises one or more device identifiers associated with a device used to electronically submit the first tax return, and wherein the first tax fraud indicator is generated based in part on the one or more device identifiers of the first tax return data.
 6. The computer-implemented method of claim 1, wherein determining whether the first device associated with the first consumer has previously been associated with the fraudulent activity comprising: accessing a third electronic data store comprising device activity data records associated with the plurality of consumers; transmitting a request to the third electronic data store for a device activity data associated with the first device, the request comprising the unique device identifier of the first device; and receiving, from the third electronic data store, the device activity data associated with the first device, wherein the device activity data store indicates whether the first device has been previously associated with fraudulent activities.
 7. The computer-implemented method of claim 6, wherein the device activity data indicates whether first device has been previously associated with fraudulent activities.
 8. A non-transitory computer storage having stored thereon a computer program, the computer program including executable instructions that instruct a computer system to at least: send an electronic request, to a remote tax agency server via a network interface, for a first tax return data, the remote tax agency server comprising a first electronic data store configured to store a plurality of tax return data associated with a plurality of consumers and at least one tax agency; receive, from the remote tax agency server via the network interface, the first tax return data associated with a first tax return of a first consumer, the first tax return data including one or more individual consumer attributes associated with the first consumer; access, from a second electronic data store, electronic consumer data records associated with the plurality of consumers; determine whether the first tax return data is potentially fraudulent based at least in part on the one or more consumer attributes associated with the first consumer and the first consumer data; upon determination that the first tax return data is potentially fraudulent: send, to the first consumer, a request for additional information associated with the first tax return data, the request comprising a link configure to automatically gather device identification information when accessed via a device; establish an electronic communication with a first device in response to the first consumer responding to the request for additional information and accessing the link, the first device associated with the first consumer; receive, from the first device, the device identification information via the link; receive, from the first device, personal information associated the first consumer, the personal information provided by the first consumer via the first device; identify a first consumer data associated with the first consumer from the electronic consumer data records based at least in part on the personal information; generate a unique device identifier of the first device based on the device identification information; determine, based at least in part on the unique device identifier and the first consumer data, whether the first device associated with the first consumer has previously been associated with a fraudulent activity; and upon determination that the first device associated with the first consumer has previously been associated with a fraudulent activity, perform authentication of the first device associated with the first consumer based at least in part on the personal information associated with the first consumer.
 9. The non-transitory computer storage of claim 8, wherein the executable instructions further instruct the computer system to: determine one or more consumer attributes from the first consumer data; compare the one or more consumer attributes from the consumer data with one or more individual consumer attributes from the first tax return; and determine whether the one or more consumer attributes from the consumer data do not match with one or more individual consumer attributes from the first tax return.
 10. The non-transitory computer storage of claim 8, wherein the executable instructions further instruct the computer system to: generate a set of one or more authentication questions; transmit, to the first device, the set of one or more authentication questions; receive, from the first device, a set of one or more responses to the set of one or more authentication questions; and determine, based on the set of one or more responses, whether the set of one or more responses are correct.
 11. The non-transitory computer storage of claim 8, wherein the first device associated with the first consumer is the same as or different from a device used to electronically submit the first tax return of the first consumer.
 12. The non-transitory computer storage of claim 8, wherein the first tax return data further comprises one or more device identifiers associated with a device used to electronically submit the first tax return, and wherein the first tax fraud indicator is generated based in part on the one or more device identifiers of the first tax return data.
 13. The non-transitory computer storage of claim 8, wherein the executable instructions further instruct the computer system to: access a third electronic data store comprising device activity data records associated with the plurality of consumers; transmit a request to the third electronic data store for a device activity data associated with the first device, the request comprising the unique device identifier of the first device; and receive, from the third electronic data store, the device activity data associated with the first device, wherein the device activity data store indicates whether the first device has been previously associated with fraudulent activities.
 14. The non-transitory computer storage of claim 13, wherein the device activity data indicates whether first device has been previously associated with fraudulent activities.
 15. A system for generating tax fraud indicators, the system comprising: a network interface configured to send and receive secure, encrypted electronic messages with a remote tax agency server, the remote tax agency server comprising a first electronic data store configured to store a plurality of tax return data associated with a plurality of consumers and at least one tax agency; a second electronic data store comprising electronic consumer data records associated with the plurality of consumers; a computing device configured to electronically communicate with the second electronic data store and the third electronic data store, the computing device comprising one or more processors programmed to execute software instructions to cause the system to: send an electronic request, to a remote tax agency server via a network interface, for a first tax return data; receive, from the remote tax agency server via the network interface, the first tax return data associated with a first tax return of a first consumer, the first tax return data including one or more individual consumer attributes associated with the first consumer; access, from a second electronic data store, the electronic consumer data records associated with the plurality of consumers; determine whether the first tax return data is potentially fraudulent based at least in part on the one or more consumer attributes associated with the first consumer and the first consumer data; upon determination that the first tax return data is potentially fraudulent: send, to the first consumer, a request for additional information associated with the first tax return data, the request comprising a link configured to automatically gather device identification information when accessed via a device; establish an electronic communication with a first device in response to the first consumer responding to the request for additional information and accessing the link, the first device associated with the first consumer; receive, from the first device, the device identification information via the link; receive, from the first device, personal information associated the first consumer, the personal information provided by the first consumer via the first device; identify a first consumer data associated with the first consumer from the electronic consumer data records based at least in part on the personal information; generate a unique device identifier of the first device based on the device identification information; determine, based at least in part on the unique device identifier and the first consumer data, whether the first device associated with the first consumer has previously been associated with a fraudulent activity; and upon determination that the first device associated with the first consumer has previously been associated with a fraudulent activity, perform authentication of the first device associated with the first consumer based at least in part on the personal information associated with the first consumer.
 16. The system of claim 15, wherein the software instructions further cause the system to: determine one or more consumer attributes from the first consumer data; compare the one or more consumer attributes from the consumer data with one or more individual consumer attributes from the first tax return; and determine whether the one or more consumer attributes from the consumer data do not match with one or more individual consumer attributes from the first tax return.
 17. The system of claim 15, wherein the software instructions further cause the system to: generate a set of one or more authentication questions; transmit, to the first device, the set of one or more authentication questions; receive, from the first device, a set of one or more responses to the set of one or more authentication questions; and determine, based on the set of one or more responses, whether the set of one or more responses are correct.
 18. The system of claim 15, wherein the first device associated with the first consumer is the same as or different from a device used to electronically submit the first tax return of the first consumer.
 19. The system of claim 15, wherein the first tax return data further comprises one or more device identifiers associated with a device used to electronically submit the first tax return, and wherein the first tax fraud indicator is generated based in part on the one or more device identifiers of the first tax return data.
 20. The system of claim 15, wherein the software instructions further cause the system to: access a third electronic data store comprising device activity data records associated with the plurality of consumers; transmit a request to the third electronic data store for a device activity data associated with the first device, the request comprising the unique device identifier of the first device; and receive, from the third electronic data store, the device activity data associated with the first device, wherein the device activity data store indicates whether the first device has been previously associated with fraudulent activities. 